This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Instance based security

Mar 3rd, 2005, 10:31 AM

Hi,
I am new to Acegi Security Framework, and I have got basic
authentication and role based security working. However, I have a
few questions about instance based security. I have a system that
stores information about employees. I need to establish instance
based security so that
- an employee can edit/view his own information
- group manager can also edit/view all employees in his dept.,
but not if the employees don't belong to his group.
- employees in the same group can view information of other
employees but they cannot edit.

- delegation: the manager may go on vacation for two weeks and
transfer his access to another person in the group. Now that
person will have all priviledges temporarily (Note we are not
talking about logging in as manager, the person will continually
login as himself, but will have priviledges of manager.) Is there
any cleaner way to do it other than just creating special priviledges
for that person and removing them when manager comes back.

Can someone suggest a good way to do in the existing Acegi framework?
Thanks in advance.

Basically, you'd have a hierarchy of objects (ie acl_object_identity entries) with follows the organisational department hierarchy. Employees and managers (ie Person entities) would appear within their unit (ie OrgUnit). Take this org structure:

Corporation --> Information Systems --> Tech Operations --> Helpdesk

Jane is the CEO (at Corporation level)
James in the CIO (at Information Systems level)
Jenny is the Helpdesk manager (Helpdesk level)
Bob is a Helpdesk officer (Helpdesk level)

NB: The parent is from a PERMISSIONING level - NOT from an object relational level. The two concepts are totally different and not to be confused. acl_object_identity only cares about where effective ACLs should flow from one entity down to the next.

Now you know how to represent your people and organisational units, it's nice and simple to apply permissions....

When Persons are created, your services layer should generate (in additional to the correct acl_object_identity), an acl_permission giving that person access to the acl_object_identity.

You'll also need a "manager administration" use case, which assigns a given person extra permissions over a given department and all sub-departments. Or deletes such extra permissions. All this would do is create an acl_permission for the relevant OrgUnit's corresponding acl_object_identity. Because your permission hierarchy is properly implemented, the rights will automatically flow down.

There are variations as well. eg your "manager administration" use case could assign it to a ROLE_MANAGER_HELPDESK recipient, which obviously has permission to the helpdesk. As such when Jenny goes on holidays, Bob can be made a member of that role and immediately get the permissions.

HTH

Comment

Thanks Alex, indeed it will be a great if you can come up with a cook book or patterns for various security scenarios. I have another question about setting up groups. We have large application where individuals are separated into groups and we would like to setup permissions and access controls based on groups (for ease of management). Can you suggest a best way to add this to your framework.

Also, if we separate our application into physical tier such as Web tier and application tier. Is there a way to propagate security context from web to application. For example, J2EE has Communication Secure Interoperability (CSIV2) standard to support propagation of security context. Is there an equivalent mechanism in your framework?
Thanks in advance.

Thanks Alex, indeed it will be a great if you can come up with a cook book or patterns for various security scenarios. I have another question about setting up groups. We have large application where individuals are separated into groups and we would like to setup permissions and access controls based on groups (for ease of management). Can you suggest a best way to add this to your framework.

Also, if we separate our application into physical tier such as Web tier and application tier. Is there a way to propagate security context from web to application. For example, J2EE has Communication Secure Interoperability (CSIV2) standard to support propagation of security context. Is there an equivalent mechanism in your framework?
Thanks in advance.